China Moves Cybersecurity Bill Despite Corporate Concerns

Nov. 1 —China is moving ahead with a cybersecurity bill that many foreign companies feel would impede the free-flow of information by requiring storage of certain data within the country.

U.S. companies may not face immediate effects from the proposed law but the uncertainty of the data localization implications for transfers from China bear watching.

A new version of the cybersecurity law was sent Oct. 31 by the Chinese government to the National People’s Congress for a final reading. If enacted, the law would focus on hackers from outside the country and would allow law enforcement and national security officials to put a freeze on assets and mete out other unspecified punishment, according the government’s official news agency. The aim of the law is to protect critical infrastructure in China, the news agency said. The news agency didn’t release the text of the latest draft of the law.

The law would require businesses associated with critical infrastructure, such as energy and finance, to store “important business information” on servers located inside the country. In addition, the personal data of internet users in China would be required to be stored on Chinese servers. The Chinese authorities would have the power to scrutinize that data and deny its transfer outside of the country for commercial purposes, under the proposed law.

Previous Version Criticized

Concerns by foreign companies and investors over the data localization and other requirements of the proposed law–in the version filed during the summer—led a coalition of 46 global business groups to tell Chinese Premier Li Keqiang in August that the law would “impede economic growth,” create barriers for businesses trying to enter the Chinese market, “weaken security and separate China from the global digital economy.”

However, Manuel Maisog, a data privacy and security partner in the Beijing office of Hunton & Williams, said the focus of the proposed cross-border data transfer restrictions was more on Chinese businesses than on foreign companies although “foreign-invested banks and financial institutions might be affected.” Maisog made his comments on the second version of the bill during an August Bloomberg BNA webinar.

Another concern for foreign companies in China is the security of data stored on Chinese servers, he said. There are fears that sensitive information may be exposed to competitors, creating “the possibility that data localization will not achieve its objectives of information security and national security at all and may even lead to setbacks in those objectives,” Maisog said.

Xiaoyan Zhang, privacy counsel in the Shanghai and Hong Kong offices of Mayer Brown LLP, told Bloomberg BNA that no warrant is required for the Chinese government to access data stored inside the country if they cite a national interest. But multinational companies doing business in China wouldn’t be storing personal data collected outside the country on Chinese servers. she said.

Previous versions of the proposed law included new requirements to safeguard personal data held in China. It is unclear what the form of those requirements will be in the final version of the law, which is expected to be enacted before the end of the year.